Vulnerability related New research has found that a vulnerability in Application Load Balancer, an Amazon Web Services traffic routing service, could be exploited by attackers to bypass access controls and compromise web applications. The vulnerability is due to an issue in customer implementations and not caused by a software bug. The vulnerability is introduced by the way AWS customers configure authentication on Application Load Balancers.
Implementation issues are a key component of cloud security, just as the contents of an armored safe are not protected if the door is ajar. Researchers at security firm Miggo found that depending on how Application Load Balancer authentication is configured, an attacker could manipulate the handoff to a third-party corporate authentication service to gain access to a target web application and view or exfiltrate data.
After examining publicly available web applications, the researchers say they found more than 15,000 that appear to have vulnerable configurations. But AWS disputes that estimate, saying “a small percentage of AWS customers likely have these misconfigured applications, far fewer than the researchers estimate.” The company also says it's contacting each customer on the list to recommend more secure implementations. But because AWS doesn't have access to or visibility into its customers' cloud environments, the exact number is only an estimate.
Miggo researchers say they encountered the issue while working with a customer, which “was discovered in a real production environment,” says Miggo CEO Daniel Shechter. “We observed strange behavior in the customer's system. It seemed like the validation process was only partially done, and something was missing. This shows how deep the interdependencies are between customers and vendors.”
To exploit the implementation issue, an attacker would set up an AWS account and Application Load Balancer to sign their own authentication tokens as they normally would. The attacker would then make configuration changes to make it appear as if the token was issued by the target authentication service. The attacker would then have AWS sign a token, making it appear as if it was legitimately issued by the target system, and use it to access the target application. The attack would need to specifically target a misconfigured application that is publicly accessible or already accessible to the attacker, allowing them to escalate their privileges within the system.
Amazon Web Services disputes that token forgery could have been accomplished in this manner, saying the changes the researchers describe are the expected outcome of choosing to configure authentication in a particular way that doesn't allow bypass. However, after Miggo researchers first disclosed their findings to AWS in early April, the company made two documentation changes to update its implementation recommendations for Application Load Balancer authentication. The first, on May 1, was guidance to add validation before the Application Load Balancer signs tokens. On July 19, the company also added a clear recommendation that users configure their systems to only accept traffic from their own Application Load Balancers, using a feature called “security groups.”